boB Rudis
3 years ago
22 changed files with 909 additions and 12 deletions
@ -1,4 +1,14 @@ |
|||||
# Generated by roxygen2: do not edit by hand |
# Generated by roxygen2: do not edit by hand |
||||
|
|
||||
import(httr) |
export(find_zeek) |
||||
importFrom(jsonlite,fromJSON) |
export(get_zeek) |
||||
|
export(man_zeek) |
||||
|
export(pcap_to_zeek) |
||||
|
export(read_zeek_logs) |
||||
|
export(zeek) |
||||
|
export(zeek_man) |
||||
|
import(arrow) |
||||
|
import(ndjson) |
||||
|
importFrom(tools,file_ext) |
||||
|
importFrom(tools,file_path_sans_ext) |
||||
|
importFrom(utils,browseURL) |
||||
|
@ -0,0 +1,10 @@ |
|||||
|
#' Get Zeek |
||||
|
#' |
||||
|
#' Opens the default browser to the place where you can get Zeek. |
||||
|
#' |
||||
|
#' @export |
||||
|
#' @examples |
||||
|
#' if (interactive) get_zeek() |
||||
|
get_zeek <- function() { |
||||
|
utils::browseURL("https://zeek.org/get-zeek/") |
||||
|
} |
@ -0,0 +1,106 @@ |
|||||
|
#' Process a PCAP with Zeek and create Parquet files |
||||
|
#' |
||||
|
#' @param pcap path to PCAP to process. ([path.expand()] will be called on this value) |
||||
|
#' @param out_dir path to Parquet files. ([path.expand()] will be called on this value) |
||||
|
#' If the directory does not exist it will be created. If ho directory is specified |
||||
|
#' a temporary directory will be created and used. You should |
||||
|
#' call [unlink()] on this path if you used a temporary directory. |
||||
|
#' @param zeek_opts extra options passed to to Zeek command line. NOTE: |
||||
|
#' `--no-checksums`, `LogAscii::use_json=T`, and `Log::default_scope_sep='_'` |
||||
|
#' are already handled by this function; no need to specify them. |
||||
|
#' @param ... extra named parameters passed on to [arrow::write_parquet()] |
||||
|
#' @return length 1 character vector of the expanded path of the `out_dir` |
||||
|
#' @note the `zeek` binary **must** be available on `PATH`. You can use the |
||||
|
#' environment variable `ZEEK_PATH` as a hint where [find_zeek()] will |
||||
|
#' look for the `zeek` binary. |
||||
|
#' @export |
||||
|
#' @examples |
||||
|
#' loc <- pcap_to_zeek(system.file("pcap/ssh.pcap", package = "zeekr")) |
||||
|
#' read_zeek_logs(loc) |
||||
|
#' unlink(loc) # don't do this IRL until you're done working with or saving. |
||||
|
pcap_to_zeek <- function(pcap, out_dir = tempfile(pattern = "zeek"), zeek_opts = c(), ...) { |
||||
|
|
||||
|
pcap <- path.expand(pcap[1]) |
||||
|
|
||||
|
if (!file.exists(pcap)) { |
||||
|
stop(sprintf("PCAP [%s] not found.", pcap), call.=FALSE) |
||||
|
} |
||||
|
|
||||
|
out_dir <- path.expand(out_dir[1]) |
||||
|
if (!dir.exists(out_dir)) dir.create(out_dir) |
||||
|
|
||||
|
pcap_link <- file.path(out_dir, basename(pcap)) |
||||
|
|
||||
|
if (!file.symlink(pcap, pcap_link)) { |
||||
|
stop(sprintf("Could not create symlink %s for %s.", pcap_link, pcap), call. = FALSE) |
||||
|
} |
||||
|
|
||||
|
zeek_opts <- c("--no-checksums", "LogAscii::use_json=T", "Log::default_scope_sep='_'", zeek_opts, "-r", pcap_link) |
||||
|
|
||||
|
wd <- getwd() |
||||
|
on.exit(setwd(wd)) |
||||
|
setwd(out_dir) |
||||
|
|
||||
|
system2( |
||||
|
command = find_zeek(), |
||||
|
args = zeek_opts, |
||||
|
env = c("ZEEK_LOG_SUFFIX=json") |
||||
|
) -> status |
||||
|
|
||||
|
stopifnot("Error converting PCAP." = (status == 0)) |
||||
|
|
||||
|
if (!file.remove(pcap_link)) { |
||||
|
stop(sprintf("Could not remove symlink %s", pcap_link), call.=FALSE) |
||||
|
} |
||||
|
|
||||
|
in_fils <- list.files(out_dir, pattern = "\\.json$", full.names = TRUE) |
||||
|
out_fils <- sub("\\.json$", ".parquet", in_fils) |
||||
|
|
||||
|
for (idx in seq_along(in_fils)) { |
||||
|
|
||||
|
arrow::write_parquet( |
||||
|
x = arrow::read_json_arrow( |
||||
|
file = in_fils[idx], |
||||
|
as_data_frame = FALSE |
||||
|
), |
||||
|
sink = out_fils[idx], |
||||
|
... |
||||
|
) |
||||
|
|
||||
|
file.remove(in_fils[idx]) |
||||
|
|
||||
|
} |
||||
|
|
||||
|
out_dir |
||||
|
|
||||
|
} |
||||
|
|
||||
|
#' Find the Zeek binary |
||||
|
#' |
||||
|
#' Use the environment variable `ZEEK_PATH` or specify the directory in |
||||
|
#' the call to this function. |
||||
|
#' |
||||
|
#' @param path hint to where to look for the Zeek binary |
||||
|
#' @export |
||||
|
#' @return length 1 character vector of the path to the zeek binary or `""` |
||||
|
#' @examples |
||||
|
#' find_zeek() |
||||
|
find_zeek <- function(path = Sys.getenv("ZEEK_PATH", "")) { |
||||
|
|
||||
|
if (path != "") { |
||||
|
Sys.setenv( |
||||
|
PATH = paste0(path, Sys.getenv("PATH"), sep = .Platform$path.sep) |
||||
|
) |
||||
|
} |
||||
|
|
||||
|
res <- Sys.which("zeek") |
||||
|
stopifnot( |
||||
|
c("Cannot locate Zeek binary." = (res != "")) |
||||
|
) |
||||
|
unname(res) |
||||
|
} |
||||
|
|
||||
|
set_names <- function (object = nm, nm) { |
||||
|
names(object) <- nm |
||||
|
object |
||||
|
} |
@ -0,0 +1,32 @@ |
|||||
|
#' Read zeek logs from a processed PCAP into a list |
||||
|
#' |
||||
|
#' @note Logs must be in Parquet or JSON format. |
||||
|
#' @param log_dir directory of zeek logs |
||||
|
#' @export |
||||
|
#' @examples |
||||
|
#' loc <- pcap_to_zeek(system.file("pcap/ssh.pcap", package = "zeekr")) |
||||
|
#' read_zeek_logs(loc) |
||||
|
#' unlink(loc) # don't do this IRL until you're done working with or saving. |
||||
|
read_zeek_logs <- function(log_dir) { |
||||
|
|
||||
|
log_dir <- path.expand(log_dir[1]) |
||||
|
|
||||
|
stopifnot("Cannot find directory." = dir.exists(log_dir)) |
||||
|
|
||||
|
in_fils <- list.files(log_dir, full.names = TRUE) |
||||
|
|
||||
|
fil_names <- make.unique(tools::file_path_sans_ext(basename(in_fils))) |
||||
|
|
||||
|
lapply(in_fils, function(.x) { |
||||
|
|
||||
|
if (tools::file_ext(.x) == "parquet") { |
||||
|
arrow::read_parquet(.x) |
||||
|
} else { |
||||
|
ndjson::stream_in(.x, cls = "tbl") |
||||
|
} |
||||
|
|
||||
|
}) -> out |
||||
|
|
||||
|
set_names(out, fil_names) |
||||
|
|
||||
|
} |
@ -0,0 +1,86 @@ |
|||||
|
#' Zeek Manual Page Quick Reference |
||||
|
#' |
||||
|
#' `zeek` - passive network traffic analyzer |
||||
|
#' |
||||
|
#' ## SYNOPSIS |
||||
|
#' |
||||
|
#' **`zeek`** `[*options*] [*file* ...]` |
||||
|
#' |
||||
|
#' ## DESCRIPTION |
||||
|
#' |
||||
|
#' Zeek is primarily a security monitor that inspects all traffic on a link in depth for signs of suspicious activity. More generally, however, Zeek supports a wide range of traffic analysis tasks even #' outside of the security domain, including performance measurements and helping with trouble-shooting. |
||||
|
#' |
||||
|
#' Zeek comes with built-in functionality for a range of analysis and detection tasks, including detecting malware by interfacing to external registries, reporting vulnerable versions of software seen on #' the network, identifying popular web applications, detecting SSH brute-forcing, validating SSL certificate chains, among others. |
||||
|
#' |
||||
|
#' ## OPTIONS |
||||
|
#' |
||||
|
#' * **`<file>`**: policy file, or read stdin |
||||
|
#' * **`-a`**, `--parse-only`: exit immediately after parsing scripts |
||||
|
#' * **`-b`**, `--bare-mode`: don't load scripts from the base/ directory |
||||
|
#' * **`-d`**, `--debug-policy:` activate policy file debugging |
||||
|
#' * **`-e`**, `--exec <zeek code>`: augment loaded policies by given code |
||||
|
#' * **`-f`**, `--filter <filter>`: tcpdump filter |
||||
|
#' * **`-h`**, `--help|-?`: command line help |
||||
|
#' * **`-i`**, `--iface <interface>`: read from given interface |
||||
|
#' * **`-p`**, `--prefix <prefix>`: add given prefix to policy file resolution |
||||
|
#' * **`-r`**, `--readfile <readfile>`: read from given tcpdump file |
||||
|
#' * **`-s`**, `--rulefile <rulefile>`: read rules from given file |
||||
|
#' * **`-t`**, `--tracefile <tracefile>`: activate execution tracing |
||||
|
#' * **`-w`**, `--writefile <writefile>`: write to given tcpdump file |
||||
|
#' * **`-v`**, `--version`: print version and exit |
||||
|
#' * **`-x`**, `--print-state <file.bst>`: print contents of state file |
||||
|
#' * **`-C`**, `--no-checksums`: ignore checksums |
||||
|
#' * **`-F`**, `--force-dns`: force DNS |
||||
|
#' * **`-I`**, `--print-id <ID name>`: print out given ID |
||||
|
#' * **`-N`**, `--print-plugins`: print available plugins and exit (**-NN** for verbose) |
||||
|
#' * **`-P`**, `--prime-dns`: prime DNS |
||||
|
#' * **`-Q`**, `--time`: print execution time summary to stderr |
||||
|
#' * **`-R`**, `--replay <events.bst>`: replay events |
||||
|
#' * **`-S`**, `--debug-rules`: enable rule debugging |
||||
|
#' * **`-T`**, `--re-level <level>`: set 'RE_level' for rules |
||||
|
#' * **`-U`**, `--status-file <file>`: Record process status in file |
||||
|
#' * **`-W`**, `--watchdog`: activate watchdog timer |
||||
|
#' * **`-X`**, `--zeekygen <cfgfile>`: generate documentation based on config file |
||||
|
#' * **`--pseudo-realtime[=**<speedup>]`: enable pseudo-realtime for performance evaluation (default 1) |
||||
|
#' * **`--load-seeds`** `<file>`: load seeds from given file |
||||
|
#' * **`--save-seeds`** `<file>`: save seeds to given file |
||||
|
#' |
||||
|
#' The following option is available only when Zeek is built with the `--enable-debug` configure option: |
||||
|
#' |
||||
|
#' **`-B`**, `--debug <dbgstreams>`: Enable debugging output for selected streams ('-B help' for help) |
||||
|
#' |
||||
|
#' The following options are available only when Zeek is built with `gperftools` support (use the `--enable-perftools` and `--enable-perftools-debug` configure options): |
||||
|
#' |
||||
|
#' **`-m`**, `--mem-leaks`: show leaks |
||||
|
#' **`-M`**, `--mem-profile`: record heap |
||||
|
#' |
||||
|
#' ## ENVIRONMENT |
||||
|
#' |
||||
|
#' - **`ZEEKPATH`**: file search path |
||||
|
#' - **`ZEEK_PLUGIN_PATH`**: plugin search path |
||||
|
#' - **`ZEEK_PLUGIN_ACTIVATE`**: plugins to always activate |
||||
|
#' - **`ZEEK_PREFIXES`**: prefix list |
||||
|
#' - **`ZEEK_DNS_FAKE`**: disable DNS lookups |
||||
|
#' - **`ZEEK_SEED_FILE`**: file to load seeds from |
||||
|
#' - **`ZEEK_LOG_SUFFIX`**: ASCII log file extension |
||||
|
#' - **`ZEEK_PROFILER_FILE`**: Output file for script execution statistics |
||||
|
#' - **`ZEEK_DISABLE_ZEEKYGEN`**: Disable Zeekygen (Broxygen) documentation support |
||||
|
#' |
||||
|
#' ## AUTHOR |
||||
|
#' |
||||
|
#' **zeek** was written by The Zeek Project <info@zeek.org>. |
||||
|
#' |
||||
|
#' @name zeek_man |
||||
|
#' @rdname zeek_man |
||||
|
#' @export |
||||
|
#' @examples |
||||
|
#' zeek_man() |
||||
|
#' man_zeek |
||||
|
#' ?zeek_man |
||||
|
zeek_man <- function() { |
||||
|
help("zeek_man") |
||||
|
} |
||||
|
|
||||
|
#' @rdname zeek_man |
||||
|
#' @export |
||||
|
man_zeek <- zeek_man |
@ -0,0 +1,25 @@ |
|||||
|
#' (WIP) Common `redef`initions for Zeek when processing PCAPs |
||||
|
#' |
||||
|
#' Zeek is great out-of-the-box, but you may need to tweak behavior |
||||
|
#' every now and then to perform analyses on the Zeek logs. |
||||
|
#' |
||||
|
#' - `redef Log::default_scope_sep = "_"` will turn dots ("`.`") in column |
||||
|
#' names to underscores ("`_`"). This will make many "big data" environments |
||||
|
#' much more pleasant to deal with. |
||||
|
#' |
||||
|
#' - `redef FileExtraction::path = "/some/where/else"` will reconfigure where |
||||
|
#' Zeek's output files go. |
||||
|
#' |
||||
|
#' - `redef FTP::default_capture_password = T` will turn off Zeek's default |
||||
|
#' masking of FTP passwords. |
||||
|
#' |
||||
|
#' - `redef HTTP::default_capture_password=T` will turn off Zeek's default |
||||
|
#' state of not capturing HTTP passwords. |
||||
|
#' |
||||
|
#' - `redef Intel::read_files += { "/opt/zeek_file_badlist.txt" }` will load in |
||||
|
#' custom IoCs (see the [Intelligence Framework](https://docs.zeek.org/en/master/frameworks/intel.html)) |
||||
|
#' for more info. |
||||
|
#' |
||||
|
#' @name zeek_redefs |
||||
|
#' @rdname zeek_redefs |
||||
|
NULL |
@ -0,0 +1,34 @@ |
|||||
|
#' Call the Zeek binary with optional custom environment variables and options |
||||
|
#' |
||||
|
#' This is just a convenience wrapper around [system2()]. See [find_zeek()] for |
||||
|
#' information on helping this package find the Zeek binary. |
||||
|
#' |
||||
|
#' @param zeek_bin specify a complate path or let [find_zeek()] do the dirty work. |
||||
|
#' @param args same as [system2()] `args` |
||||
|
#' @param env same as [system2()] `env` |
||||
|
#' @return `list` with `stderr`, `stdout`, `status` and `errmsg` (invisibly) |
||||
|
#' @export |
||||
|
zeek <- function(zeek_bin = find_zeek(), args = c(), env = c()) { |
||||
|
|
||||
|
errf <- tempfile() |
||||
|
on.exit(unlink(errf)) |
||||
|
|
||||
|
outf <- tempfile() |
||||
|
on.exit(unlink(outf)) |
||||
|
|
||||
|
system2( |
||||
|
command = zeek_bin, |
||||
|
args = args, |
||||
|
env = env, |
||||
|
stderr = errf, |
||||
|
stdout = outf |
||||
|
) -> res |
||||
|
|
||||
|
invisible(list( |
||||
|
stderr = readLines(errf, warn = FALSE), |
||||
|
stdout = readLines(outf, warn = FALSE), |
||||
|
status = attr(res, "status"), |
||||
|
errmsg = attr(res, "errmsg") |
||||
|
)) |
||||
|
|
||||
|
} |
@ -1,9 +1,15 @@ |
|||||
#' ... |
#' Tools to Make Analyses Using Zeek Easier |
||||
#' |
#' |
||||
|
#' [Zeek](https://zeek.org/) is an open source network security monitoring |
||||
|
#' system. Tools are provided to make it a bit easier to work with Zeek to perform |
||||
|
#' analyses with R. |
||||
|
#' |
||||
#' @md |
#' @md |
||||
#' @name zeekr |
#' @name zeekr |
||||
#' @keywords internal |
#' @keywords internal |
||||
#' @author Bob Rudis (bob@@rud.is) |
#' @author Bob Rudis (bob@@rud.is) |
||||
#' @import httr |
#' @import arrow |
||||
#' @importFrom jsonlite fromJSON |
#' @import ndjson |
||||
|
#' @importFrom utils browseURL |
||||
|
#' @importFrom tools file_path_sans_ext file_ext |
||||
"_PACKAGE" |
"_PACKAGE" |
||||
|
@ -0,0 +1,129 @@ |
|||||
|
|
||||
|
[![Project Status: Active – The project has reached a stable, usable |
||||
|
state and is being actively |
||||
|
developed.](https://www.repostatus.org/badges/latest/active.svg)](https://www.repostatus.org/#active) |
||||
|
[![Signed |
||||
|
by](https://img.shields.io/badge/Keybase-Verified-brightgreen.svg)](https://keybase.io/hrbrmstr) |
||||
|
![Signed commit |
||||
|
%](https://img.shields.io/badge/Signed_Commits-100%25-lightgrey.svg) |
||||
|
[![R-CMD-check](https://github.com/hrbrmstr/zeekr/workflows/R-CMD-check/badge.svg)](https://github.com/hrbrmstr/zeekr/actions?query=workflow%3AR-CMD-check) |
||||
|
[![Linux build |
||||
|
Status](https://travis-ci.org/hrbrmstr/zeekr.svg?branch=master)](https://travis-ci.org/hrbrmstr/zeekr) |
||||
|
![Minimal R |
||||
|
Version](https://img.shields.io/badge/R%3E%3D-3.6.0-blue.svg) |
||||
|
![License](https://img.shields.io/badge/License-AGPL-blue.svg) |
||||
|
|
||||
|
# zeekr |
||||
|
|
||||
|
Tools to Make Analyses Using Zeek Easier |
||||
|
|
||||
|
## Description |
||||
|
|
||||
|
[Zeek](https://zeek.org/) is an open source network security monitoring |
||||
|
system. Tools are provided to make it a bit easier to work with Zeek to |
||||
|
perform analyses with R. |
||||
|
|
||||
|
## What’s Inside The Tin |
||||
|
|
||||
|
The following functions are implemented: |
||||
|
|
||||
|
- `find_zeek`: Find the Zeek binary |
||||
|
- `get_zeek`: Get Zeek |
||||
|
- `pcap_to_zeek`: Process a PCAP with Zeek and create Parquet files |
||||
|
- `read_zeek_logs`: Read zeek logs from a processed PCAP into a list |
||||
|
- `zeek_man`: Zeek Manual Page Quick Reference |
||||
|
- `zeek_redefs`: (WIP) Common redefinitions for Zeek when processing |
||||
|
PCAPs |
||||
|
- `zeek`: Call the Zeek binary with optional custom environment |
||||
|
variables and options |
||||
|
|
||||
|
## Installation |
||||
|
|
||||
|
``` r |
||||
|
remotes::install_git("https://git.rud.is/hrbrmstr/zeekr.git") |
||||
|
``` |
||||
|
|
||||
|
NOTE: To use the ‘remotes’ install options you will need to have the |
||||
|
[{remotes} package](https://github.com/r-lib/remotes) installed. |
||||
|
|
||||
|
## Usage |
||||
|
|
||||
|
``` r |
||||
|
library(zeekr) |
||||
|
|
||||
|
# current version |
||||
|
packageVersion("zeekr") |
||||
|
## [1] '0.1.0' |
||||
|
``` |
||||
|
|
||||
|
``` r |
||||
|
loc <- pcap_to_zeek(system.file("pcap/ssh.pcap", package = "zeekr")) |
||||
|
|
||||
|
list.files(loc) |
||||
|
## [1] "conn.parquet" "packet_filter.parquet" "ssh.parquet" |
||||
|
|
||||
|
zeek <- read_zeek_logs(loc) |
||||
|
|
||||
|
str(zeek, 3) |
||||
|
## List of 3 |
||||
|
## $ conn :Classes 'tbl_df', 'tbl' and 'data.frame': 49 obs. of 18 variables: |
||||
|
## ..$ ts : num [1:49] 1.32e+09 1.32e+09 1.32e+09 1.32e+09 1.32e+09 ... |
||||
|
## ..$ uid : chr [1:49] "CAmnTGoJHwg6hNFea" "CvHC1J1yB5yLVQuXR7" "CE6UIa40hIdUlMZCS2" "CK2bU24sjXqxWxiSpl" ... |
||||
|
## ..$ id_orig_h : chr [1:49] "172.16.238.1" "172.16.238.1" "172.16.238.1" "172.16.238.1" ... |
||||
|
## ..$ id_orig_p : int [1:49] 58389 58389 58389 58389 58397 58389 58389 58398 58389 58399 ... |
||||
|
## ..$ id_resp_h : chr [1:49] "172.16.238.135" "172.16.238.135" "172.16.238.135" "172.16.238.135" ... |
||||
|
## ..$ id_resp_p : int [1:49] 22 22 22 22 22 22 22 22 22 22 ... |
||||
|
## ..$ proto : chr [1:49] "tcp" "tcp" "tcp" "tcp" ... |
||||
|
## ..$ duration : num [1:49] 4.23 NA NA NA 17.78 ... |
||||
|
## ..$ orig_bytes : int [1:49] 0 NA NA NA 1733 NA NA 1733 NA 1589 ... |
||||
|
## ..$ resp_bytes : int [1:49] 0 NA NA NA 2007 NA NA 2007 NA 1943 ... |
||||
|
## ..$ conn_state : chr [1:49] "SH" "SH" "SH" "SH" ... |
||||
|
## ..$ missed_bytes : int [1:49] 0 0 0 0 0 0 0 0 0 0 ... |
||||
|
## ..$ history : chr [1:49] "F" "F" "F" "F" ... |
||||
|
## ..$ orig_pkts : int [1:49] 6 1 1 1 21 1 1 21 1 19 ... |
||||
|
## ..$ orig_ip_bytes: int [1:49] 312 52 52 52 2837 52 52 2837 52 2589 ... |
||||
|
## ..$ resp_pkts : int [1:49] 0 0 0 0 17 0 0 18 0 16 ... |
||||
|
## ..$ resp_ip_bytes: int [1:49] 0 0 0 0 2899 0 0 2951 0 2783 ... |
||||
|
## ..$ service : chr [1:49] NA NA NA NA ... |
||||
|
## $ packet_filter:Classes 'tbl_df', 'tbl' and 'data.frame': 1 obs. of 5 variables: |
||||
|
## ..$ ts : num 1.63e+09 |
||||
|
## ..$ node : chr "zeek" |
||||
|
## ..$ filter : chr "ip or not ip" |
||||
|
## ..$ init : logi TRUE |
||||
|
## ..$ success: logi TRUE |
||||
|
## $ ssh :Classes 'tbl_df', 'tbl' and 'data.frame': 40 obs. of 17 variables: |
||||
|
## ..$ ts : num [1:40] 1.32e+09 1.32e+09 1.32e+09 1.32e+09 1.32e+09 ... |
||||
|
## ..$ uid : chr [1:40] "CUegdV3IvAoKWGu681" "Ci9sXu2lSlpqg3Au47" "Csw04n3ZhbvBDjJTNd" "C3qrkm4EaQi2uvlpD6" ... |
||||
|
## ..$ id_orig_h : chr [1:40] "172.16.238.1" "172.16.238.1" "172.16.238.1" "172.16.238.1" ... |
||||
|
## ..$ id_orig_p : int [1:40] 58395 58396 58397 58398 58399 58402 58403 58404 58405 58406 ... |
||||
|
## ..$ id_resp_h : chr [1:40] "172.16.238.168" "172.16.238.129" "172.16.238.136" "172.16.238.136" ... |
||||
|
## ..$ id_resp_p : int [1:40] 22 22 22 22 22 22 22 22 22 22 ... |
||||
|
## ..$ version : int [1:40] 2 2 2 2 2 2 2 2 2 2 ... |
||||
|
## ..$ auth_success : logi [1:40] TRUE TRUE FALSE FALSE FALSE FALSE ... |
||||
|
## ..$ auth_attempts : int [1:40] 3 1 2 2 1 2 2 2 4 2 ... |
||||
|
## ..$ client : chr [1:40] "SSH-2.0-OpenSSH_5.6" "SSH-2.0-OpenSSH_5.6" "SSH-2.0-OpenSSH_5.6" "SSH-2.0-OpenSSH_5.6" ... |
||||
|
## ..$ server : chr [1:40] "SSH-2.0-OpenSSH_5.3" "SSH-2.0-OpenSSH_5.3" "SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1" "SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1" ... |
||||
|
## ..$ cipher_alg : chr [1:40] "aes128-ctr" "aes128-ctr" "aes128-ctr" "aes128-ctr" ... |
||||
|
## ..$ mac_alg : chr [1:40] "hmac-md5" "hmac-md5" "hmac-md5" "hmac-md5" ... |
||||
|
## ..$ compression_alg: chr [1:40] "none" "none" "none" "none" ... |
||||
|
## ..$ kex_alg : chr [1:40] "diffie-hellman-group-exchange-sha256" "diffie-hellman-group-exchange-sha256" "diffie-hellman-group-exchange-sha256" "diffie-hellman-group-exchange-sha256" ... |
||||
|
## ..$ host_key_alg : chr [1:40] "ssh-rsa" "ssh-rsa" "ssh-rsa" "ssh-rsa" ... |
||||
|
## ..$ host_key : chr [1:40] "a5:3c:40:6e:e8:bf:5d:09:79:c8:4b:2c:65:5f:eb:12" "a5:3c:40:6e:e8:bf:5d:09:79:c8:4b:2c:65:5f:eb:12" "87:11:46:da:89:c5:2b:d9:6b:ee:e0:44:7e:73:80:f8" "87:11:46:da:89:c5:2b:d9:6b:ee:e0:44:7e:73:80:f8" ... |
||||
|
``` |
||||
|
|
||||
|
## zeekr Metrics |
||||
|
|
||||
|
| Lang | # Files | (%) | LoC | (%) | Blank lines | (%) | # Lines | (%) | |
||||
|
|:-----|--------:|-----:|----:|-----:|------------:|-----:|--------:|-----:| |
||||
|
| R | 8 | 0.36 | 100 | 0.37 | 38 | 0.32 | 175 | 0.42 | |
||||
|
| YAML | 2 | 0.09 | 23 | 0.09 | 2 | 0.02 | 2 | 0.00 | |
||||
|
| Rmd | 1 | 0.05 | 12 | 0.04 | 19 | 0.16 | 30 | 0.07 | |
||||
|
| SUM | 11 | 0.50 | 135 | 0.50 | 59 | 0.50 | 207 | 0.50 | |
||||
|
|
||||
|
clock Package Metrics for zeekr |
||||
|
|
||||
|
## Code of Conduct |
||||
|
|
||||
|
Please note that this project is released with a Contributor Code of |
||||
|
Conduct. By participating in this project you agree to abide by its |
||||
|
terms. |
Binary file not shown.
@ -0,0 +1,21 @@ |
|||||
|
% Generated by roxygen2: do not edit by hand |
||||
|
% Please edit documentation in R/pcap_to_zeek.R |
||||
|
\name{find_zeek} |
||||
|
\alias{find_zeek} |
||||
|
\title{Find the Zeek binary} |
||||
|
\usage{ |
||||
|
find_zeek(path = Sys.getenv("ZEEK_PATH", "")) |
||||
|
} |
||||
|
\arguments{ |
||||
|
\item{path}{hint to where to look for the Zeek binary} |
||||
|
} |
||||
|
\value{ |
||||
|
length 1 character vector of the path to the zeek binary or \code{""} |
||||
|
} |
||||
|
\description{ |
||||
|
Use the environment variable \code{ZEEK_PATH} or specify the directory in |
||||
|
the call to this function. |
||||
|
} |
||||
|
\examples{ |
||||
|
find_zeek() |
||||
|
} |
@ -0,0 +1,14 @@ |
|||||
|
% Generated by roxygen2: do not edit by hand |
||||
|
% Please edit documentation in R/get-zeek.R |
||||
|
\name{get_zeek} |
||||
|
\alias{get_zeek} |
||||
|
\title{Get Zeek} |
||||
|
\usage{ |
||||
|
get_zeek() |
||||
|
} |
||||
|
\description{ |
||||
|
Opens the default browser to the place where you can get Zeek. |
||||
|
} |
||||
|
\examples{ |
||||
|
if (interactive) get_zeek() |
||||
|
} |
@ -0,0 +1,38 @@ |
|||||
|
% Generated by roxygen2: do not edit by hand |
||||
|
% Please edit documentation in R/pcap_to_zeek.R |
||||
|
\name{pcap_to_zeek} |
||||
|
\alias{pcap_to_zeek} |
||||
|
\title{Process a PCAP with Zeek and create Parquet files} |
||||
|
\usage{ |
||||
|
pcap_to_zeek(pcap, out_dir = tempfile(pattern = "zeek"), zeek_opts = c(), ...) |
||||
|
} |
||||
|
\arguments{ |
||||
|
\item{pcap}{path to PCAP to process. (\code{\link[=path.expand]{path.expand()}} will be called on this value)} |
||||
|
|
||||
|
\item{out_dir}{path to Parquet files. (\code{\link[=path.expand]{path.expand()}} will be called on this value) |
||||
|
If the directory does not exist it will be created. If ho directory is specified |
||||
|
a temporary directory will be created and used. You should |
||||
|
call \code{\link[=unlink]{unlink()}} on this path if you used a temporary directory.} |
||||
|
|
||||
|
\item{zeek_opts}{extra options passed to to Zeek command line. NOTE: |
||||
|
\code{--no-checksums}, \code{LogAscii::use_json=T}, and \code{Log::default_scope_sep='_'} |
||||
|
are already handled by this function; no need to specify them.} |
||||
|
|
||||
|
\item{...}{extra named parameters passed on to \code{\link[arrow:write_parquet]{arrow::write_parquet()}}} |
||||
|
} |
||||
|
\value{ |
||||
|
length 1 character vector of the expanded path of the \code{out_dir} |
||||
|
} |
||||
|
\description{ |
||||
|
Process a PCAP with Zeek and create Parquet files |
||||
|
} |
||||
|
\note{ |
||||
|
the \code{zeek} binary \strong{must} be available on \code{PATH}. You can use the |
||||
|
environment variable \code{ZEEK_PATH} as a hint where \code{\link[=find_zeek]{find_zeek()}} will |
||||
|
look for the \code{zeek} binary. |
||||
|
} |
||||
|
\examples{ |
||||
|
loc <- pcap_to_zeek(system.file("pcap/ssh.pcap", package = "zeekr")) |
||||
|
read_zeek_logs(loc) |
||||
|
unlink(loc) # don't do this IRL until you're done working with or saving. |
||||
|
} |
@ -0,0 +1,22 @@ |
|||||
|
% Generated by roxygen2: do not edit by hand |
||||
|
% Please edit documentation in R/read-zeek-logs.R |
||||
|
\name{read_zeek_logs} |
||||
|
\alias{read_zeek_logs} |
||||
|
\title{Read zeek logs from a processed PCAP into a list} |
||||
|
\usage{ |
||||
|
read_zeek_logs(log_dir) |
||||
|
} |
||||
|
\arguments{ |
||||
|
\item{log_dir}{directory of zeek logs} |
||||
|
} |
||||
|
\description{ |
||||
|
Read zeek logs from a processed PCAP into a list |
||||
|
} |
||||
|
\note{ |
||||
|
Logs must be in Parquet or JSON format. |
||||
|
} |
||||
|
\examples{ |
||||
|
loc <- pcap_to_zeek(system.file("pcap/ssh.pcap", package = "zeekr")) |
||||
|
read_zeek_logs(loc) |
||||
|
unlink(loc) # don't do this IRL until you're done working with or saving. |
||||
|
} |
@ -0,0 +1,22 @@ |
|||||
|
% Generated by roxygen2: do not edit by hand |
||||
|
% Please edit documentation in R/zeek.R |
||||
|
\name{zeek} |
||||
|
\alias{zeek} |
||||
|
\title{Call the Zeek binary with optional custom environment variables and options} |
||||
|
\usage{ |
||||
|
zeek(zeek_bin = find_zeek(), args = c(), env = c()) |
||||
|
} |
||||
|
\arguments{ |
||||
|
\item{zeek_bin}{specify a complate path or let \code{\link[=find_zeek]{find_zeek()}} do the dirty work.} |
||||
|
|
||||
|
\item{args}{same as \code{\link[=system2]{system2()}} \code{args}} |
||||
|
|
||||
|
\item{env}{same as \code{\link[=system2]{system2()}} \code{env}} |
||||
|
} |
||||
|
\value{ |
||||
|
\code{list} with \code{stderr}, \code{stdout}, \code{status} and \code{errmsg} (invisibly) |
||||
|
} |
||||
|
\description{ |
||||
|
This is just a convenience wrapper around \code{\link[=system2]{system2()}}. See \code{\link[=find_zeek]{find_zeek()}} for |
||||
|
information on helping this package find the Zeek binary. |
||||
|
} |
@ -0,0 +1,95 @@ |
|||||
|
% Generated by roxygen2: do not edit by hand |
||||
|
% Please edit documentation in R/zeek-man.R |
||||
|
\name{zeek_man} |
||||
|
\alias{zeek_man} |
||||
|
\alias{man_zeek} |
||||
|
\title{Zeek Manual Page Quick Reference} |
||||
|
\usage{ |
||||
|
zeek_man() |
||||
|
|
||||
|
man_zeek() |
||||
|
} |
||||
|
\description{ |
||||
|
\code{zeek} - passive network traffic analyzer |
||||
|
} |
||||
|
\details{ |
||||
|
\subsection{SYNOPSIS}{ |
||||
|
|
||||
|
\strong{\code{zeek}} \verb{[*options*] [*file* ...]} |
||||
|
} |
||||
|
|
||||
|
\subsection{DESCRIPTION}{ |
||||
|
|
||||
|
Zeek is primarily a security monitor that inspects all traffic on a link in depth for signs of suspicious activity. More generally, however, Zeek supports a wide range of traffic analysis tasks even #' outside of the security domain, including performance measurements and helping with trouble-shooting. |
||||
|
|
||||
|
Zeek comes with built-in functionality for a range of analysis and detection tasks, including detecting malware by interfacing to external registries, reporting vulnerable versions of software seen on #' the network, identifying popular web applications, detecting SSH brute-forcing, validating SSL certificate chains, among others. |
||||
|
} |
||||
|
|
||||
|
\subsection{OPTIONS}{ |
||||
|
\itemize{ |
||||
|
\item \strong{\verb{<file>}}: policy file, or read stdin |
||||
|
\item \strong{\code{-a}}, \code{--parse-only}: exit immediately after parsing scripts |
||||
|
\item \strong{\code{-b}}, \code{--bare-mode}: don't load scripts from the base/ directory |
||||
|
\item \strong{\code{-d}}, \verb{--debug-policy:} activate policy file debugging |
||||
|
\item \strong{\code{-e}}, \verb{--exec <zeek code>}: augment loaded policies by given code |
||||
|
\item \strong{\code{-f}}, \verb{--filter <filter>}: tcpdump filter |
||||
|
\item \strong{\code{-h}}, \verb{--help|-?}: command line help |
||||
|
\item \strong{\code{-i}}, \verb{--iface <interface>}: read from given interface |
||||
|
\item \strong{\code{-p}}, \verb{--prefix <prefix>}: add given prefix to policy file resolution |
||||
|
\item \strong{\code{-r}}, \verb{--readfile <readfile>}: read from given tcpdump file |
||||
|
\item \strong{\code{-s}}, \verb{--rulefile <rulefile>}: read rules from given file |
||||
|
\item \strong{\code{-t}}, \verb{--tracefile <tracefile>}: activate execution tracing |
||||
|
\item \strong{\code{-w}}, \verb{--writefile <writefile>}: write to given tcpdump file |
||||
|
\item \strong{\code{-v}}, \code{--version}: print version and exit |
||||
|
\item \strong{\code{-x}}, \verb{--print-state <file.bst>}: print contents of state file |
||||
|
\item \strong{\code{-C}}, \code{--no-checksums}: ignore checksums |
||||
|
\item \strong{\code{-F}}, \code{--force-dns}: force DNS |
||||
|
\item \strong{\code{-I}}, \verb{--print-id <ID name>}: print out given ID |
||||
|
\item \strong{\code{-N}}, \code{--print-plugins}: print available plugins and exit (\strong{-NN} for verbose) |
||||
|
\item \strong{\code{-P}}, \code{--prime-dns}: prime DNS |
||||
|
\item \strong{\code{-Q}}, \code{--time}: print execution time summary to stderr |
||||
|
\item \strong{\code{-R}}, \verb{--replay <events.bst>}: replay events |
||||
|
\item \strong{\code{-S}}, \code{--debug-rules}: enable rule debugging |
||||
|
\item \strong{\code{-T}}, \verb{--re-level <level>}: set 'RE_level' for rules |
||||
|
\item \strong{\code{-U}}, \verb{--status-file <file>}: Record process status in file |
||||
|
\item \strong{\code{-W}}, \code{--watchdog}: activate watchdog timer |
||||
|
\item \strong{\code{-X}}, \verb{--zeekygen <cfgfile>}: generate documentation based on config file |
||||
|
\item **\verb{--pseudo-realtime[=**<speedup>]}: enable pseudo-realtime for performance evaluation (default 1) |
||||
|
\item \strong{\code{--load-seeds}} \verb{<file>}: load seeds from given file |
||||
|
\item \strong{\code{--save-seeds}} \verb{<file>}: save seeds to given file |
||||
|
} |
||||
|
|
||||
|
The following option is available only when Zeek is built with the \code{--enable-debug} configure option: |
||||
|
|
||||
|
\strong{\code{-B}}, \verb{--debug <dbgstreams>}: Enable debugging output for selected streams ('-B help' for help) |
||||
|
|
||||
|
The following options are available only when Zeek is built with \code{gperftools} support (use the \code{--enable-perftools} and \code{--enable-perftools-debug} configure options): |
||||
|
|
||||
|
\strong{\code{-m}}, \code{--mem-leaks}: show leaks |
||||
|
\strong{\code{-M}}, \code{--mem-profile}: record heap |
||||
|
} |
||||
|
|
||||
|
\subsection{ENVIRONMENT}{ |
||||
|
\itemize{ |
||||
|
\item \strong{\code{ZEEKPATH}}: file search path |
||||
|
\item \strong{\code{ZEEK_PLUGIN_PATH}}: plugin search path |
||||
|
\item \strong{\code{ZEEK_PLUGIN_ACTIVATE}}: plugins to always activate |
||||
|
\item \strong{\code{ZEEK_PREFIXES}}: prefix list |
||||
|
\item \strong{\code{ZEEK_DNS_FAKE}}: disable DNS lookups |
||||
|
\item \strong{\code{ZEEK_SEED_FILE}}: file to load seeds from |
||||
|
\item \strong{\code{ZEEK_LOG_SUFFIX}}: ASCII log file extension |
||||
|
\item \strong{\code{ZEEK_PROFILER_FILE}}: Output file for script execution statistics |
||||
|
\item \strong{\code{ZEEK_DISABLE_ZEEKYGEN}}: Disable Zeekygen (Broxygen) documentation support |
||||
|
} |
||||
|
} |
||||
|
|
||||
|
\subsection{AUTHOR}{ |
||||
|
|
||||
|
\strong{zeek} was written by The Zeek Project <info@zeek.org>. |
||||
|
} |
||||
|
} |
||||
|
\examples{ |
||||
|
zeek_man() |
||||
|
man_zeek |
||||
|
?zeek_man |
||||
|
} |
@ -0,0 +1,25 @@ |
|||||
|
% Generated by roxygen2: do not edit by hand |
||||
|
% Please edit documentation in R/zeek-redefs.R |
||||
|
\name{zeek_redefs} |
||||
|
\alias{zeek_redefs} |
||||
|
\title{(WIP) Common \code{redef}initions for Zeek when processing PCAPs} |
||||
|
\description{ |
||||
|
Zeek is great out-of-the-box, but you may need to tweak behavior |
||||
|
every now and then to perform analyses on the Zeek logs. |
||||
|
} |
||||
|
\details{ |
||||
|
\itemize{ |
||||
|
\item \verb{redef Log::default_scope_sep = "_"} will turn dots ("\code{.}") in column |
||||
|
names to underscores ("\verb{_}"). This will make many "big data" environments |
||||
|
much more pleasant to deal with. |
||||
|
\item \verb{redef FileExtraction::path = "/some/where/else"} will reconfigure where |
||||
|
Zeek's output files go. |
||||
|
\item \verb{redef FTP::default_capture_password = T} will turn off Zeek's default |
||||
|
masking of FTP passwords. |
||||
|
\item \verb{redef HTTP::default_capture_password=T} will turn off Zeek's default |
||||
|
state of not capturing HTTP passwords. |
||||
|
\item \verb{redef Intel::read_files += \{ "/opt/zeek_file_badlist.txt" \}} will load in |
||||
|
custom IoCs (see the \href{https://docs.zeek.org/en/master/frameworks/intel.html}{Intelligence Framework}) |
||||
|
for more info. |
||||
|
} |
||||
|
} |
@ -0,0 +1,205 @@ |
|||||
|
# NAME |
||||
|
|
||||
|
zeek - passive network traffic analyzer |
||||
|
|
||||
|
# SYNOPSIS |
||||
|
|
||||
|
**zeek** \[*options*\] \[*file* \...\] |
||||
|
|
||||
|
# DESCRIPTION |
||||
|
|
||||
|
Zeek is primarily a security monitor that inspects all traffic on a link |
||||
|
in depth for signs of suspicious activity. More generally, however, Zeek |
||||
|
supports a wide range of traffic analysis tasks even outside of the |
||||
|
security domain, including performance measurements and helping with |
||||
|
trouble-shooting. |
||||
|
|
||||
|
Zeek comes with built-in functionality for a range of analysis and |
||||
|
detection tasks, including detecting malware by interfacing to external |
||||
|
registries, reporting vulnerable versions of software seen on the |
||||
|
network, identifying popular web applications, detecting SSH |
||||
|
brute-forcing, validating SSL certificate chains, among others. |
||||
|
|
||||
|
# OPTIONS |
||||
|
|
||||
|
**\<file>** |
||||
|
|
||||
|
: policy file, or read stdin |
||||
|
|
||||
|
**-a**, \--parse-only |
||||
|
|
||||
|
: exit immediately after parsing scripts |
||||
|
|
||||
|
**-b**, \--bare-mode |
||||
|
|
||||
|
: don\'t load scripts from the base/ directory |
||||
|
|
||||
|
**-d**, \--debug-policy |
||||
|
|
||||
|
: activate policy file debugging |
||||
|
|
||||
|
**-e**, \--exec \<zeek code> |
||||
|
|
||||
|
: augment loaded policies by given code |
||||
|
|
||||
|
**-f**, \--filter \<filter> |
||||
|
|
||||
|
: tcpdump filter |
||||
|
|
||||
|
**-h**, \--help\|-? |
||||
|
|
||||
|
: command line help |
||||
|
|
||||
|
**-i**, \--iface \<interface> |
||||
|
|
||||
|
: read from given interface |
||||
|
|
||||
|
**-p**, \--prefix \<prefix> |
||||
|
|
||||
|
: add given prefix to policy file resolution |
||||
|
|
||||
|
**-r**, \--readfile \<readfile> |
||||
|
|
||||
|
: read from given tcpdump file |
||||
|
|
||||
|
**-s**, \--rulefile \<rulefile> |
||||
|
|
||||
|
: read rules from given file |
||||
|
|
||||
|
**-t**, \--tracefile \<tracefile> |
||||
|
|
||||
|
: activate execution tracing |
||||
|
|
||||
|
**-w**, \--writefile \<writefile> |
||||
|
|
||||
|
: write to given tcpdump file |
||||
|
|
||||
|
**-v**, \--version |
||||
|
|
||||
|
: print version and exit |
||||
|
|
||||
|
**-x**, \--print-state \<file.bst> |
||||
|
|
||||
|
: print contents of state file |
||||
|
|
||||
|
**-C**, \--no-checksums |
||||
|
|
||||
|
: ignore checksums |
||||
|
|
||||
|
**-F**, \--force-dns |
||||
|
|
||||
|
: force DNS |
||||
|
|
||||
|
**-I**, \--print-id \<ID name> |
||||
|
|
||||
|
: print out given ID |
||||
|
|
||||
|
**-N**, \--print-plugins |
||||
|
|
||||
|
: print available plugins and exit (**-NN** for verbose) |
||||
|
|
||||
|
**-P**, \--prime-dns |
||||
|
|
||||
|
: prime DNS |
||||
|
|
||||
|
**-Q**, \--time |
||||
|
|
||||
|
: print execution time summary to stderr |
||||
|
|
||||
|
**-R**, \--replay \<events.bst> |
||||
|
|
||||
|
: replay events |
||||
|
|
||||
|
**-S**, \--debug-rules |
||||
|
|
||||
|
: enable rule debugging |
||||
|
|
||||
|
**-T**, \--re-level \<level> |
||||
|
|
||||
|
: set \'RE_level\' for rules |
||||
|
|
||||
|
**-U**, \--status-file \<file> |
||||
|
|
||||
|
: Record process status in file |
||||
|
|
||||
|
**-W**, \--watchdog |
||||
|
|
||||
|
: activate watchdog timer |
||||
|
|
||||
|
**-X**, \--zeekygen \<cfgfile> |
||||
|
|
||||
|
: generate documentation based on config file |
||||
|
|
||||
|
**\--pseudo-realtime\[=**\<speedup>\] |
||||
|
|
||||
|
: enable pseudo-realtime for performance evaluation (default 1) |
||||
|
|
||||
|
**\--load-seeds** \<file> |
||||
|
|
||||
|
: load seeds from given file |
||||
|
|
||||
|
**\--save-seeds** \<file> |
||||
|
|
||||
|
: save seeds to given file |
||||
|
|
||||
|
The following option is available only when Zeek is built with the \--enable-debug configure option: |
||||
|
|
||||
|
: |
||||
|
|
||||
|
**-B**, \--debug \<dbgstreams> |
||||
|
|
||||
|
: Enable debugging output for selected streams (\'-B help\' for help) |
||||
|
|
||||
|
The following options are available only when Zeek is built with gperftools support (use the \--enable-perftools and \--enable-perftools-debug configure options): |
||||
|
|
||||
|
: |
||||
|
|
||||
|
**-m**, \--mem-leaks |
||||
|
|
||||
|
: show leaks |
||||
|
|
||||
|
**-M**, \--mem-profile |
||||
|
|
||||
|
: record heap |
||||
|
|
||||
|
# ENVIRONMENT |
||||
|
|
||||
|
**ZEEKPATH** |
||||
|
|
||||
|
: file search path |
||||
|
|
||||
|
**ZEEK_PLUGIN_PATH** |
||||
|
|
||||
|
: plugin search path |
||||
|
|
||||
|
**ZEEK_PLUGIN_ACTIVATE** |
||||
|
|
||||
|
: plugins to always activate |
||||
|
|
||||
|
**ZEEK_PREFIXES** |
||||
|
|
||||
|
: prefix list |
||||
|
|
||||
|
**ZEEK_DNS_FAKE** |
||||
|
|
||||
|
: disable DNS lookups |
||||
|
|
||||
|
**ZEEK_SEED_FILE** |
||||
|
|
||||
|
: file to load seeds from |
||||
|
|
||||
|
**ZEEK_LOG_SUFFIX** |
||||
|
|
||||
|
: ASCII log file extension |
||||
|
|
||||
|
**ZEEK_PROFILER_FILE** |
||||
|
|
||||
|
: Output file for script execution statistics |
||||
|
|
||||
|
**ZEEK_DISABLE_ZEEKYGEN** |
||||
|
|
||||
|
: Disable Zeekygen (Broxygen) documentation support |
||||
|
|
||||
|
# AUTHOR |
||||
|
|
||||
|
**zeek** was written by The Zeek Project \<info\@zeek.org>. |
Loading…
Reference in new issue